From The Editor | March 10, 2022

100 Days And Many Ways To Cybersecurity

kevin-westerling_110x125_sans-nameplate.jpg

By Kevin Westerling,
@KevinOnWater

GettyImages-1314144859

A Q&A with Riggs Eckelberry, founder and CEO of OriginClear, on the need to improve cybersecurity at water and wastewater utilities, which has elicited action from the Biden administration and everyday operators alike.

As water and wastewater utilities adopt digitalization more readily — a good idea, overall — it unfortunately leaves them (and the public) vulnerable to cyberattacks. In recent years, municipal drinking-water operations in Florida, the Bay Area, and Baltimore have been threatened, as have wastewater operations in Maine and California.1 And as more systems go digital, the number of attacks is bound to follow suit, creating more likelihood for a tragic event.

In response, President Biden announced the Water Sector Action Plan in January, “to facilitate the deployment of technologies and systems that provide cyber-related threat visibility, indicators, detections, and warnings.” The plan brings the Industrial Control Systems (ICS) Cybersecurity Initiative that was launched for the electric sector2 in August 2021 to the water sector; and, like its predecessor, it aims to shore up and protect operations within 100 days. The sooner the better, to be sure, but is it enough?

I spoke with Riggs Eckelberry to get his thoughts on cybersecurity from the perspective of a company leader who earned renown for turning struggling companies around after the dot-com crash. He then turned his entrepreneurial spirit into a biofuels business that has since expanded into water recycling, using the same idea that extracts oil from algae to retrieve water from sewage.

Keenly aware of infrastructure issues, the need for source-water protection, and available funding mechanisms (or lack thereof), Riggs brought his innovative-but-practical mind to bear on the subject of cybersecurity in the following Q&A.

President Biden recently released a 100-day action plan to protect our water systems from cyberattacks. Why is cybersecurity now getting such attention?

Whenever you think of security, you have to think of the points of greatest vulnerability. And because the water industry is extremely ubiquitous, and greatly based upon infrastructure that was built over the last hundred years, it is vulnerable. So it makes sense to reinforce this point of vulnerability.

Do you think the plan sufficiently addresses the threats specifically posed to the water industry?

The plan is very similar to what the administration has done for other utility sectors. The problem is that the federal government’s contribution to water utilities has been on a steady downtrend path since the ’70s, and utilities are already under pressure to meet ever-stricter water quality standards. So without additional funding, the initiative is likely to fall short.

What aspects of water/ wastewater operations are most vulnerable to hackers? What could cause the greatest harm?

The greatest harm could occur at a choke point such as tertiary treatment, or denitrification, which tends to be concentrated in one location. Other locations are more spread out and might not be as vulnerable.

What suggestions would you give to utilities to secure these high-risk areas?

Upgrading controls to current technology is about the only thing that can be done. It’s not a simple solution, but I don’t think it can be avoided.

Is cybersecurity a DIY effort, or does it typically require outside expertise?

Remember when the government attempted to build the Affordable Care Act database? It simply was not feasible for the government to do in-house, and it finally worked when Silicon Valley was brought in to help. I think we need the same kind of “Manhattan Project” approach to support water. We need to move beyond the complacency about water that seems to exist and create a sense of urgency so that security actors would jump in. That requires making water treatment and management more high profile — and even “sexy,” which is a challenge!

Is lack of funding an impediment to implementing cybersecurity? How can that be overcome?

There’s no question that the water utilities are chronically underfunded. So, yes — we need to think about how we overcome that. Perhaps it’s done with donated efforts by security interests, assuming they can see some public-relations benefit. Really, it’s about the water industry getting out of its shell and promoting itself.

What role can distributed water treatment play in the fight against cyberattacks?

Since a landmark study was done by Lux Research in 2016, which I wrote about for Water Online,3 it’s been obvious that decentralization of water treatment is not only a good idea but also inevitable. It will put the onus for cleaning water on the people who make it dirty in the first place and also will tend to unload the excessive burden on central utilities that have been underfunded for so long as to their infrastructure needs.

This decentralization or distributed water treatment is also a really, really good idea for cybersecurity. Remember, the internet was originally built by DARPA [Defense Advanced Research Projects Agency] to provide a failsafe computer network. By making the nodes in the network less dependent on each other, the critical technology infrastructure could withstand the greatest threat at the time, which was nuclear attack.

Cybersecurity is no different. By spreading out water treatment and water management, we reduce the choke points and the interdependency, and any local attack can be isolated to that point.

OriginClear has been implementing a new DBOO, or Design-Build-Own-Operate, capital program. How can this help in the fight against cyberattacks?

Historically, DBOO has been implemented for larger applications such as desalination plants for entire islands. But this private utility model is very useful for individual businesses that might not have a capital program for their own water system and also lack the expertise. That’s the new program we call “Water On Demand.” By solving capital needs and providing a fully outsourced managed service, we also can provide very high-quality site management and modern protection against cyberattacks.

What predictions do you have for the future of cyber-threats, cybersecurity, and cyber policies?

Security is always best carried out in layers and also with maximum isolation of network nodes. For this reason, I really see the trend toward decentralization of water treatment and water conveyance as being the most productive solution for effective cybersecurity.

Read the White House Fact Sheet on the 100-day Water Sector Action Plan.

References

  1. https://www.wateronline.com/doc/president-launches-new-plan-to-strengthen-u-s-water-systems-againstcyberattacks-0001
  2. https://www.whitehouse.gov/briefing-room/statements-releases/2021/08/25/fact-sheet-biden-administration-andprivate-sector-leaders-announce-ambitious-initiatives-to-bolster-the-nations-cybersecurity/
  3. https://www.wateronline.com/doc/the-water-revolution-moving-to-a-decentralized-system-0001